cracklib dicts size (and fedora password policy)
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 6 13:17:44 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/06/2013 09:08 AM, Tomas Mraz wrote:
> On Fri, 2013-09-06 at 09:04 -0400, Matthew Miller wrote:
>> The cracklib dicts in Fedora is 8.3M. (I'm sure some of this is my fault,
>> as I've added to it over the years.) The cracklib pam module supports a
>> compressed dictionary, but apparently it has a serious performance
>> impact (https://bugzilla.redhat.com/show_bug.cgi?id=1004896).
>>
>> Meanwhile, in many systems today, local passwords are entirely unused.
>> Authentication is done via keys or by kerberos.
>>
>> At the same time, we have an increased need for smaller systems. That
>> 8MB starts to be a meaningful fraction of a container or an ultra-small
>> cloud image.
>>
>> I do recognize the value of protecting against dictionary-based attacks
>> when passwords are used. Maybe we could have a policy which requires
>> _longer_ passwords but uses a much smaller dictionary?
>
> The other option would be to fix the gzip support in cracklib to cache the
> unpacked data somehow. However that would require to keep the unpacked
> dictionary in RAM when cracklib is loaded, which is suboptimal as well. Or
> we could make the cracklib-dicts optional somehow so it is possible to
> install an ultra small cloud image without the dictionary at all - I expect
> ultra small cloud image not needing password quality checking at all.
>
Could anaconda decompress the file to another location to fix their problem.
Then we ship it compressed? I am willing to wait an extra 10 seconds while
changing my password which I do very seldom. Maybe have the library look for a
decompressed file first and fail over the the compressed one. Then admins could
decompress it if they see this as a problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIp1fgACgkQrlYvE4MpobONMQCdESTx4Yh13iMjJrtkjobelicw
DMAAoKw+nlaJQ7VrTxQRg64nIMjabqq+
=BZkE
-----END PGP SIGNATURE-----
More information about the security
mailing list